automatic updates
-
Friday, March 22, 2013 10:19 AM
Hi all,
I want to configure a GPO to do the following
- download and install windows updates every Monday evening at 5pm
I have created and applied the GPO but I was wondering if there are any little tweaks or other group policy settings I need add to the above to make this policy work correctly?
I ask as iv made changes in the past with GPO and often missed little bits that make the GPO fail to have the effect I want.
Thanks
All Replies
-
Friday, March 22, 2013 5:09 PM
There is a very good series going on in Patchzone that describes how to configure the WUA. Check out this link for the articles.
Hope this helps!
-
Sunday, March 24, 2013 12:52 AM
Hello,
What settings do you have so far?
I prefer these
Allow Automatic Updates immidiate installation: that will install updates that doesnt require attention nor reboot.
Automatic Updates detection frequency; should happend after your WSUS have syncronized
Disable No auto-restart with logged on users for schedueled automatic updates installation
Enable and use default for Re-prompt for restart with scheduled installations
Enable and use default for Delay Restart for schedueled installations
Enable and use default for Reschedule Automatic Updsates scheduled installations.
Disable Turn on recommended updates via Automatic Updates
And, I use client-side targeting too. That will help you orgranize your clients in the WSUS console, i.e. Servers and Workstations (requires seperate GPO's). Remember to enable that as well in the WSUS console-> Options-Computers, then let gpo handle the clients.
//
Best Regards
Jesper Vindum, Denmark
-
Tuesday, March 26, 2013 9:45 PMModerator
Automatic Updates detection frequency; should happend after your WSUS have synchronized
It's somewhat difficult to coordinate this event in direct correlation with the WSUS server. The WSUS server has a fixed synchronization cycle, every 24 hours, 12 hours, 8 hours, 6 hours, 4 hours, etc. The WUAgent, however, has a floating detection event that's based on a negative random offset from a specified number of hours (not times per day). Even if you scheduled server syncs as 4x per day (every 6 hours), and set the client detection to every six hours, the actual client sync will be every 4.8-6.0 hours, and the next detection is calculated at the end of each successful detection. It's conceivable that a client with a 6-hour detection interval can actually run five detections in a 24 hour period.
Enable and use default for Re-prompt for restart with scheduled installations
Enable and use default for Delay Restart for schedueled installations
Enable and use default for Reschedule Automatic Updsates scheduled installations.
A pedantic point.. but if you're using the defaults, there's no need to enable the policy settings. These defaults are actually hard-coded in the Windows Update Agent and those values will be used unless these policies are enabled and do not have the 'default' settings configured.
Disable Turn on recommended updates via Automatic Updates
This setting is irrelevant in a WSUS environment, unless you're allowing users to scan WU/MU from the Control Panel. The concept of "recommended updates" does not exist in WSUS; however, if users can scan WU/MU this will preclude them from inadvertently installing some updates that maybe you've not yet approved. I would argue, however, that the better option is to block access to WU/MU entirely.
Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
SolarWinds Head Geek
Microsoft MVP - Software Distribution (2005-2013)
My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.- Marked As Answer by Clarence ZhangModerator Monday, April 01, 2013 6:32 AM
.png)
